Security lessons taught by goats

Trying to contain farm animals who are surprisingly creative and adept at getting around barriers has a lot to teach us about how to approach our efforts at protecting data from crafty users.

If I’ve learned anything in my two decades of working in the InfoSec industry, it’s that the practical application of securing data can be challenging. Every time I start to feel like I have a pretty good grasp on how to protect my data, something will occur that makes me realize how much a seemingly simple error can cause big problems.

I’ve found no better metaphor for these errors than my constant battle to keep our farm animals contained. In certain circles, it’s a common truism that "if your fence won't hold water, it won't hold a goat." Many of us who’ve tried to protect data for and from humans will recognize this sentiment. Both critters and computer-users are astoundingly adept at going through barriers in creative and unexpected ways.

No matter how complex or how old the vulnerability is, patch it anyway

We became aware of a hole in our fence that was accessible only by entering a narrow alley that was protected by a gate, which was bungeed in place. Our goats had gotten stuck in this alley a couple of times, and it unnerved them so much that I figured they wouldn’t bother exploring it further. A few months later, one of the goats figured out that not only could he move the gate if the sheep offered “assistance” (read: head-butting the goat because he’s in the way), but if he stood up and turned the other way round, he could comfortably shimmy his way out of this hole.

While it might seem like this convoluted turn of events would be a one-time fluke, it happened twice in 12 hours. If the reward is sufficiently great, they will find a way.

Understand and explain the reasoning behind recommended guidelines

While raising our first clutch of ducklings, I had read that you should wait a few months before clipping their flight wings. So we waited the recommended period of time, erring on the side of waiting a little longer just to be safe. Two days after the specified date, the ducks flew into the neighbor’s yard.

In retrospect, it seems obvious that I should have investigated further to see if there were a way to visually assess when they were ready. When a subject is new and sensitive, it can be tempting to just accept the word of experts without question or to draw incorrect conclusions based on mistaken assumptions. When you train users, or get training yourself, make sure that “why” is covered as well as “what”, “how” and “when”.

Risk assessment should be an ongoing task

One morning as I was feeding the chickens, I accidentally startled a hen. Her alarm calls unnerved a twitchy, young rooster, who flew towards the netting around their enclosure. I hadn’t realized that during the previous night a leaf had fallen onto the netting and created a gap between two sections that was just wide enough for him to fly out.

It doesn’t take much to make a change big enough to cause problems: by constantly monitoring our assets, we can help mitigate new risks.

Multiple defenses can balance security and functionality

It would be lovely if we just could let our animals roam as they please. But I have it on good authority from the local rabbits and deer that our neighbors’ roses are delicious, and that there are hungry predators nearby. As such, we deploy multiple levels of protection for the benefit of our critters and for the neighbors’ gardens, considering their relative level of risk and need.

The risk of predation is greatest at night, which is also when their need to roam (and our ability to supervise) is lowest, so we lock our beasties in secure enclosures before sunset. During the day, our critters have access to larger areas, but can still hide in their shelter if need be. Beyond that, our whole property is fenced in case they escape their individual enclosures. In each of the incidents I describe, no harm came to the critters because we had a series of barriers and alerts, so there was no one point of failure.

We also can’t underestimate the psychological angle: our animals all know where their safe areas are and will go there if they feel they are at risk. If they get out of those areas, they quickly get our attention and we put things right.

No matter whose statistics you use, you’ll find the majority of security breaches are due to human error. Those mistakes are often made by accident, not by malice. By understanding the risks, preparing for mishaps, and letting our users know they can come to us in times of trouble, we can make our workplaces safer for everyone.

Since 1999, Lysa Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.